commit 65f2eec694f18a64291cc85317b9f22dacc1d8e4 Author: Nick Mathewson nickm@torproject.org Date: Thu Feb 1 16:33:52 2018 -0500

Correctly handle NULL returns from parse_protocol_list when voting.

In some cases we had checked for it, but in others we had not. One of these cases could have been used to remotely cause denial-of-service against directory authorities while they attempted to vote.

Fixes TROVE-2018-001. --- changes/trove-2018-001.1 | 6 ++++++ src/or/protover.c | 6 ++++++ 2 files changed, 12 insertions(+)

diff --git a/changes/trove-2018-001.1 b/changes/trove-2018-001.1 new file mode 100644 index 000000000..f0ee92f40 --- /dev/null +++ b/changes/trove-2018-001.1 @@ -0,0 +1,6 @@ + o Major bugfixes (denial-of-service, directory authority): + - Fix a protocol-list handling bug that could be used to remotely crash + directory authorities with a null-pointer exception. Fixes bug 25074; + bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001. + + diff --git a/src/or/protover.c b/src/or/protover.c index 98957cabd..a75077462 100644 --- a/src/or/protover.c +++ b/src/or/protover.c @@ -554,6 +554,12 @@ protover_compute_vote(const smartlist_t *list_of_proto_strings, // First, parse the inputs and break them into singleton entries. SMARTLIST_FOREACH_BEGIN(list_of_proto_strings, const char *, vote) { smartlist_t *unexpanded = parse_protocol_list(vote); + if (! unexpanded) { + log_warn(LD_NET, "I failed with parsing a protocol list from " + "an authority. The offending string was: %s", + escaped(vote)); + continue; + } smartlist_t *this_vote = expand_protocol_list(unexpanded); if (this_vote == NULL) { log_warn(LD_NET, "When expanding a protocol list from an authority, I "